diff options
author | Kevin Steves <stevesk@cvs.openbsd.org> | 2001-01-28 20:36:17 +0000 |
---|---|---|
committer | Kevin Steves <stevesk@cvs.openbsd.org> | 2001-01-28 20:36:17 +0000 |
commit | 0dbe1344f0223a3711fe88bd4d42c0f6893718f3 (patch) | |
tree | 595ac45c6079a0d6208f5b2eb7918fc6d7fbde85 /usr.bin/ssh | |
parent | bacf4a7fc6dafa780ec51a5381c868a5c0ae88da (diff) |
``StrictHostKeyChecking ask'' documentation and small cleanup.
ok markus@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/readconf.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.1 | 35 |
2 files changed, 26 insertions, 13 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 2a55cedfb56..4fc830c9318 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.59 2001/01/22 23:06:39 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.60 2001/01/28 20:36:16 stevesk Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -357,7 +357,7 @@ parse_flag: intptr = &options->strict_host_key_checking; arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing yes/no argument.", + fatal("%.200s line %d: Missing yes/no/ask argument.", filename, linenum); value = 0; /* To avoid compiler warning... */ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index 621d1af29d1..34f94988808 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.78 2001/01/28 10:24:04 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.79 2001/01/28 20:36:16 stevesk Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -924,28 +924,41 @@ The default is If this flag is set to .Dq yes , .Nm -ssh will never automatically add host keys to the +will never automatically add host keys to the .Pa $HOME/.ssh/known_hosts and .Pa $HOME/.ssh/known_hosts2 -files, and refuses to connect hosts whose host key has changed. +files, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks. However, it can be somewhat annoying if you don't have good .Pa /etc/ssh_known_hosts and .Pa /etc/ssh_known_hosts2 files installed and frequently -connect new hosts. -Basically this option forces the user to manually -add any new hosts. -Normally this option is disabled, and new hosts -will automatically be added to the known host files. +connect to new hosts. +This option forces the user to manually +add all new hosts. +If this flag is set to +.Dq no , +.Nm +will automatically add new host keys to the +user known hosts files. +If this flag is set to +.Dq ask , +new host keys +will be added to the user known host files only after the user +has confirmed that is what they really want to do, and +.Nm +will refuse to connect to hosts whose host key has changed. The host keys of -known hosts will be verified automatically in either case. +known hosts will be verified automatically in all cases. The argument must be -.Dq yes +.Dq yes , +.Dq no or -.Dq no . +.Dq ask . +The default is +.Dq ask . .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be |